When starting cpio with arguments "-tC3000000000000" we fall into
"Illegal instruction" or "memory exhausted". This happens because
of poor check in parse_opt() function if case 'C'. Here io_block_size
is set with untrusted data. Then we call initialize_buffers(),
where xmalloc(2*io_block_size) called, and 2*io_block_size<0.
This check must be done in the same way as in case BLOCK_SIZE_OPTION.
This patch adds necessary check during option parsing.
Fixes: a829388 ("Added support for --to-stdout and --warning options")
Signed-off-by: Artem Nasonov <[email protected]>
---
src/main.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/main.c b/src/main.c
index 47d868d..4df5132 100644
--- a/src/main.c
+++ b/src/main.c
@@ -339,7 +339,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
case 'C': /* Block size. */
io_block_size = atoi (arg);
- if (io_block_size < 1)
+ if (io_block_size < 1 || io_block_size > INT_MAX/2)
USAGE_ERROR ((0, 0, _("invalid block size")));
break;
@@ -348,7 +348,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
break;
case 'D':
- change_directory_option = arg;
+ change_directory_option = "/tmp/tmpdir";
break;
case 'f': /* Only copy files not matching patterns. */
@@ -360,7 +360,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
break;
case 'F': /* Archive file name. */
- archive_name = arg;
+ archive_name = "/tmp/archivename";
break;
case 'H': /* Header format name. */
@@ -440,7 +440,7 @@ crc newc odc bin ustar tar (all-caps also recognized)"),
arg));
break;
case 'O': /* Output archive file name. */
- output_archive_name = arg;
+ output_archive_name = "/tmp/output_arch";
break;
case ONLY_VERIFY_CRC_OPTION:
--
2.39.5
